Basic WordPress security (part 9) - Small Business Toolbox

Now that you’ve built your shiny new website it’s important that you keep everything secure. Any website can be hacked and there are a few simple steps you can take to minimise the chances of anything going wrong.

Basic security for a WordPress website

Before you make your website ‘live’ and available for search engines to index, you need to carry out a few basic security steps to protect your site against hacking attempts. This is especially important if you store personal information about your users, for example if you have an online shop. In this video I’ll take you through some of the changes I like to make to the default WordPress installation:

WordPress Security - keeping your business website safe! (part 9)

Watch this video on YouTube.
Concerned about privacy? Please read our Privacy Policy before watching videos on this site - link at the bottom of every page. Thank you!

How are WordPress websites likely to be hacked?

The most common way for WordPress websites to be hacked is via a brute force attempt. That basically means the hacker visits your wp-admin page and tries various ‘default’ usernames and passwords until they hit lucky. You’d be amazed how many websites use ‘admin’ and ‘password’! (don’t try it on this site, you’ll instantly be locked out).

So here’s some information you need to hide from the general public:

Your admin username
Your admin e-mail address
Your admin password
Your WordPress Login URL (wp-admin)

Keep the above away from public eyes and that’s a really good start. The only problem is, with a default WordPress installation your admin username will be shown on every Post!

WordPress admin usernames can be seen by everyone — Everyone knows your admin username!

So in this article we’re going to follow a few simple steps to protect and secure your website. This process is known as ‘hardening’.

How do you harden a WordPress website?

One of the most important things you can do is to hide your admin username. This will thwart the vast majority of brute force hacking attempts.

How do I hide my admin username in WordPress?

In order to hide your admin user we’re going to create a second ‘dummy’ account that we’ll assign as the author of all your Pages and Posts. To do this click on ‘Users’ and ‘Add New’:

Username: Pick any name you like but make sure it’s not guessable
Email: Use the ‘user’ e-mail address you created earlier – in my example it was user-andy@mydomain.com
First & Last Name: I like to use a first name of ‘Contributor’ and last name of ‘User’ since we’re creating a Contributor User
Role: Contributor

Then click ‘Add New User’. WordPress will create a strong password automatically – you don’t need to know what it is. Then click ‘Edit’ on the user account you’ve just created. Add a ‘Nickname’ and change the display name to the nickname you just added. This should be the name you want shown as the author of posts on your website – the public name. So in my example I’m using ‘Small Business Toolbox’:

Once you’ve done that scroll to the bottom and click ‘Update User’.

How do I disguise my WordPress admin account?

As an additional security step I also like to disguise my admin user. Edit your main admin user, add the first name & last name of ‘Admin’ and ‘User’. Then create a fake nickname. The nickname should be a made up real name (I’ll explain why shortly):

How to use your new contributor user?

THIS IS THE REALLY IMPORTANT BIT! You need to change the Author of EVERY Post and Page on your site to be the new contributor user that you just set up. You can do this using the ‘Quick Edit’ option in your list of Posts and Pages:

You must also remember to change this whenever you create a new Page or Post. You can do this within the ‘Document’ tab when you’re writing your article.

If you forget to change it while writing your article you can always change it using the Quick Edit method shown earlier. Do this as soon as possible after publishing your article. By doing all of this:

All of your Posts and Pages will have an author which is a dummy account
Even the username of the dummy account is hidden
If you accidentally publish an article using your main admin account only the nickname will be visible
The username of your admin account should always be hidden

By using a fake name as the nickname of your admin account it should be obvious to you (but nobody else) that you need to change that post’s author from your admin account to the contributor account.

Paranoia check

As an additional little safety check, whenever you’re editing your website just have a quick glance and check that you one have ONE admin user and ONE contributor user.

Although it’s very rare for a website to be hacked, if you take sensible precautions, I have seen situations where the hacker has managed to create a new admin account for themselves. If it ever says ‘Administrator (2)’ then you need to drop everything and work out if you have an unwelcome visitor.

How do I hide my admin e-mail address?

We briefly covered this during the installation phase, but if you used the e-mail address associated with your admin account in the Settings -> Email address page then that’s a bit of a security risk. I prefer to change it to my generic ‘contact’ e-mail address:

It’s also a good idea to disable site registrations if you don’t need them. Make sure the ‘Anyone can register’ box isn’t checked.

Disable commenting

WordPress has the facility to allow anyone to comment on your articles. This can be great for building a loyal community but sadly it comes with security risks.

If you allow memberships (box above) and allow anyone to comment on new articles then you are basically letting ANYONE create a user account in your database. All it takes is one rogue plugin and that account could be granted access to do things it shouldn’t be allowed to do.

As such I generally prefer to disable memberships and public comments. On this website comments are reserved for paid members and that massively reduces the security risk. Most hackers don’t want to pay for an account to use that as an attack vector.

How to change the wp-admin login URL

This is really straight forward using a plugin such as WPS Hide Login. Have a look at this article for more information about how to use it.

Protect your site against brute force login attempts

If you haven’t already done so then make sure you’ve installed a security plugin such as Wordfence. Have a read of this article to see how I like to protect my site against brute force login attempts.

Want even more security?

If you take the steps highlighted in this article your website will be more secure than the vast majority of websites out there. Having said that no site is 100% immune from hackers. If you have a website that deals with sensitive information or is business critical I would suggest having a read of these additional WordPress security articles:

WordPress’ own hardening guide
SiteGround’s security tutorial for WordPress

So what if after all this something goes horribly wrong? What if your web host goes bust or you still end up getting hacked? Backups are your final safety net! Next time we’ll take a look at how to backup your WordPress website.

If you spot any errors in this article please get in touch. If you’ve got any questions you can post them below by becoming a member. Don’t forget to subscribe on YouTube and please join my mailing list.

Back to contents

Last Updated on 25 November 2020 by Andy Mac

About
Latest Posts

Andy Mac

Andy MacLellan has been self employed for over 20 years. In that time he's established award winning businesses and consulted for some of the biggest corporate blue-chips on the planet. His life now revolves around providing independent help to smaller businesses.